Version: 7.0

Web server

The article presents examples of configuration parameters for Apache2 and Nginx web servers, as the most commonly used for Passwork installations.

Apache2

Apache2 Virtual Host File

<VirtualHost *:443>
    ServerName example.com

    SSLEngine on
    SSLCertificateFile /etc/ssl/passwork/fullchain.pem
    SSLCertificateKeyFile /etc/ssl/passwork/privkey.pem
    SSLCertificateChainFile /etc/ssl/passwork/chain.pem  # if fullchain does not contain full chain

    SSLCipherSuite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:
                    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:
                    ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"

    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder on

    DocumentRoot /var/www/public
    <Directory /var/www/public>
        Options +FollowSymLinks -Indexes -MultiViews
        AllowOverride FileInfo
        Require all granted
    </Directory>
    <FilesMatch \.php$>
        # DEB
        #SetHandler "proxy:unix:/run/php/php8.3-fpm.sock|fcgi://localhost/"
        # RPM
        #SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost/"
    </FilesMatch>
</VirtualHost>

Part of Apache2 SSL Module Configuration File

    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)

SSLCipherSuite — Defines the list of allowed ciphers, includes only modern and strong algorithms.

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 — Enables only modern and secure TLS protocol versions (TLS 1.2 and 1.3); disables vulnerable and outdated ones (SSLv2, SSLv3, TLS 1.0/1.1).

SSLHonorCipherOrder on — Prioritizes the cipher list set by the server (not the client), allowing control over the algorithms used.

SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000) — Enables TLS session caching using SHMCB (shared memory cache), which speeds up repeated connections. Cache size: ~512 KB.

SSLSessionCacheTimeout 300 — Sets the lifetime of TLS sessions in the cache (in seconds).

SSL Stapling (OCSP Stapling) — a mechanism where the server itself requests the status of the TLS certificate from the Certificate Authority (CA) and attaches it to the TLS session. This speeds up connection and reduces load on the CA, improving client privacy.

danger

Use OCSP Stapling only if your Passwork server can access public DNS servers.

SSLUseStapling on — Enables OCSP Stapling support - the server attaches the TLS certificate status from the CA to the connection, improving performance and privacy.

SSLStaplingResponderTimeout 5 — Maximum wait time for a response from the OCSP server (CA) - if no response within 5 seconds, the request is considered failed.

SSLStaplingReturnResponderErrors off — If the OCSP server does not respond, do not send an error to the client. The connection is still allowed (improves resilience in unstable networks).

SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000) — Cache OCSP responses in shared memory, about 128 KB, reducing the frequency of CA queries.

SSLSessionTickets off — By default, tickets are enabled as they speed up TLS connection establishment by reusing parameters of previous sessions, reducing server load. Disabling will only affect connections using TLS 1.2. For TLS 1.3, management is done by OpenSSL and Apache2 cannot disable their use.

Nginx

Part of Nginx Site Configuration File

		listen 443 ssl default_server;
		ssl_certificate /server/ssl/fullchain.pem;
		ssl_certificate_key /server/ssl/privkey.pem;
		ssl_protocols TLSv1.2 TLSv1.3;
		ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:
             ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:
             ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
		ssl_prefer_server_ciphers on;
		ssl_session_cache shared:SSL:50m;
		ssl_session_timeout 1d;
		ssl_stapling on;
        ssl_stapling_verify on;
        resolver 1.1.1.1 8.8.8.8 valid=300s;
        resolver_timeout 5s;

ssl_protocols TLSv1.2 TLSv1.3; — Restrict allowed TLS versions to only secure ones - disable outdated and vulnerable SSL/TLS protocols (TLS 1.0/1.1).

ssl_ciphers — Defines the list of allowed ciphers - includes only modern and strong algorithms.

ssl_prefer_server_ciphers on; — Specifies to use server cipher priority (not client), increasing control over connection security.

ssl_session_cache shared:SSL:50m; — Enables TLS session caching between connections with 50 MB, speeds up reconnects and reduces load.

ssl_session_timeout 1d; — Sets session lifetime in cache - the client can reuse the TLS session for one day if the cache is not cleared.

danger

Use OCSP Stapling only if Passwork can access public DNS servers.

ssl_stapling on; — Enables OCSP Stapling - the server provides fresh certificate status, speeding up verification and improving client privacy.

ssl_stapling_verify on; — Requires the server to verify the authenticity of the OCSP response with the root CA to avoid delivering invalid or forged status.

resolver 1.1.1.1 8.8.8.8 valid=300s; — Specifies DNS servers for resolving domain names (e.g. for OCSP checks); responses are cached for 5 minutes. Example uses Cloudflare (1.1.1.1) and Google DNS (8.8.8.8).

resolver_timeout 5s; — Maximum wait time for DNS response - if no response within 5 seconds, the request is considered failed.

ssl_session_tickets off; — Disables TLS session tickets.

By default, tickets are enabled as they speed up TLS connection establishment by reusing parameters of previous sessions, reducing server load. Disabling makes sense only if all the following conditions are met simultaneously:

The application runs on multiple servers;
A single wildcard certificate is used on all instances;
Servers are distributed across different data centers, and there is no centralized management of TLS session keys.

Apache2​

Nginx​

Apache2

Nginx